CSOonline: Rethinking the process of doing risk assessments

The world has changed significantly in the past two years, and so have the rules around assessing cyber security risk. A combination of greater digital business penetration, a wider array of risks, and bigger consequences of cyber threats have made the world of risk management both more complex and more important than ever. Sadly, word hasn’t yet gotten out that risk management is an essential part of today’s business operations. According to this PwC study cited by Silicon Republic, 40 percent of Irish companies are failing to do any risk assessments whatsoever.

If you want to get on board, read my article in CSOonline. I interview several people who show how things have changed and how IT can do these kinds of assessments properly.

CSOonline: The state of the CASB market

In just a few years,a lot has happened in the Cloud Access Security Broker (CASB) market.

Most of the main-line security vendors have purchased CASB solutions: Oracle (Palerra), IBM (Gravitant), Microsoft (Adallom), Forcepoint (Skyfence), Proofpoint (FireLayers), Symantec (Skycure) and McAfee (Skyhigh Networks). The three independent vendors still standing include CipherCloud, Netskope, and Bitglass. The market has matured, although this is a matter of degree since even the longest-running vendors have only been selling products for a few years. It has also evolved to the point where many analysts feel CASB will be just as important in the near future just as firewalls once were back in the day when PCs were being bought by the truckloads. Gartner predicts that by 2020, more enterprises will use CASBs than not, which represents a big jump from the 10% that used them at the end of 2017.

Four things also helped the CASB cause: First was its quick learning curve by security personnel. Second was that they became more inclusive in terms of applications support. Third was the beginnings of a managed service provider business, and finally, multimode operation has become more prevalent. 

In this story for CSOonline, I talk about what are these products, why enterprises are motivated to purchase and deploy them,  what features you should look for that are appropriate for your network. what are your decision points in the purchase process, and links to many of the major CASB vendors.

Security Intelligence (IBM) blog: Space Rogue, A Security Rebel Turned Pen Tester

Cris Thomas, who also goes by the pseudonym Space Rogue, is the global strategy lead at IBM X-Force Red. I recently spoke with him to discuss his work as a penetration testing specialist, his role as a cybersecurity activist in the late 1990s. In 1998, Thomas and other members of attacker think tank L0pht Heavy Industries testified to Congress. L0pht is infamous for developing a series of hacking tools, such as Windows NT password crackers and a website called Hacker News Network. The white-hat hacking group also took on numerous consulting projects over the years and was recently back in DC to talk about what has changed, and what hasn’t, in terms of infosec. My interview with Thomas can be found in IBM’s Security Intelligence blog.

SecurityIntelligence (IBM blog): Are ransomware attacks rising or falling?

There are conflicting reports over whether or not ransomware attacks are growing. Many organizations state (quite convincingly) that it’s the most popular malware form and that ransom-related attacks have been increasing at a rapid rate over the past year. However, other reports offer a more nuanced point of view.While the raw number of ransom-based attacks is increasing, the proportion of ransom-related attacks is dropping over the last part of 2017. Many businesses are not paying out the ransoms, motivating criminals to try other malware methods.

I compare the results and show how they differ in my latest blog post for IBM”s Security Intelligence blog.

SecurityIntelligence blog: What Are the Legalities and Implications of Hacking Back?

Since the Active Cyber Defense Certainty Act was introduced to the U.S. House of Representatives at the end of 2017, people in the tech industry have been forming some very strong opinions. The contentious concept of hacking back opens up a wide range of cyber defense tools to IT and security managers. Lawmakers have taken a recent interest in creating new rules that allow for more flexibility with these activities, which are illegal in most places. Currently, a private company has no legal right to defend itself against a cyberattack.

In this post for IBM’s Security Intelligence blog, I review some of the early hacking back efforts by both private and government entities and discuss some of the recent legislation.

CSOonline: How Risk-Based Authentication has become an essential security tool

It used to be that adaptive authentication (also called risk-based authentication or RBA) forced a trade-off between usability and security, but that is no longer the case. A few years ago, security managers placed security above usability, forcing users to be like Chicago voters: authenticate early and often. Today’s RBA tools can improve overall customer experience and help compliance regulations as well as simplifying a patchwork of numerous legacy banking technologies.

Based on my experience with some of these products, RBA has matured and become more compelling, particularly when compared to static and more traditional multi-factor authentication (MFA) methods. RBA has also become more compelling as the typical enterprise attack surface has expanded and evolved.

In this article for CSOonline, I discuss some of these compelling reasons for RBA, some of the leading RBA vendors, and what potential buyers should consider.

Corporate blogging rules of the road (and bonus podcast)

Let’s talk about what makes for a successful corporate blog and how you can assemble one of your own. Blogs are an essential element of any corporate marketing strategy, and should be the linchpin of creating an integrated digital marketing campaign that includes email newsletters, social media posts, and other kinds of content. But if you don’t have a strong blog, you will have a difficult time executing any solid marketing campaign.

I have written about corporate blogging for more than 13 years, including this story that ran in Computerworld, and contributed to dozens of different corporate blogs (in addition to running some websites that could be considered blogs if they were created in the modern era). Jeremiah Owyang once said that you shouldn’t accept blogging advice from people that are not bloggers. Given that he has blogged for as long (if not longer) than I have, he is worth paying attention to. I am writing about this again thanks to being inspired by a recent article about Autodesk and its 200-some corporate blogs.

Autodesk is the company behind AutoCAD and some 170 other products that are based on that industry segment. When you first see how many blogs they have, you think: that can’t possibly be the right strategy for them. But the more you look into what they are doing, the more you understand that this is actually brilliant. These different blogs (some of which you can see in the screen capture here) show something more than just quantity. For example, each Autodesk product and blog has its own dedicated marketing team, so it’s up to each to decide how to structure its operation and tell it’s own story. So as you are examining what Autodesk is doing, here are a few pointers.

First is understanding the key elements in assembling your team that will staff and run a blog. It is more akin to running a publication (something that I have done numerous times over my career in both print and online), but you may not have editorial and production people in-house. That is why it could make sense to outsource part of these back or front office functions of the blog to operations such as Skyword or Contently. While you pay a premium for these services, they can deliver benefits if you don’t have the time, skills or staff to handle these functions. Another part of successful blogging is creating an editorial calendar and planning what you will cover in the next quarter (or longer if you can), posting regularly and selecting the right topics. This makes it easier to assign posts and organize your campaigns.

Next, you need to understand your audience focus and define what the overall purpose of the blog or blogs will be, as well as adjusting to the appropriate level of knowledge for a particular readership. This is something that you want to do up front, before you start creating any posts.

It is also important to take the long view about your blog or blogs; on the Internet, content is eternal and many corporate marketers often make the mistake of having a blog stand up for just a particular campaign. I often get inquiries from something that I posted ten years ago. Many of the blogs and pubs that I have written for have taken down their content. Newsflash: storage and domain services are cheap these days.

Part of any successful blog is also figuring out what your metrics for success are, and that should involve more than just counting simple page views. While we all watch that particular statistic, it doesn’t tell the entire story, such as how engaged our readers are and how many of them convert to trial product versions or refer others who become customers. Figure out how you can track these things effectively.

Finally, make sure you pay your external writers quickly and without a lot of paperwork, otherwise they will migrate elsewhere. (That is where the outsourced back office providers can help.) I know this sounds somewhat self-serving, but I have seen many fine pubs lose talented writers who get frustrated when payments stretch out for months.

If you haven’t had enough suggestions, or if you want to send these suggestions to someone who is a more auditory learner, you can listen to a 20 minute podcast that Paul Gillin and I put together for our FIR B2B episode this week here.

CSOonline: 4 open source red-team ATT&CK-based tools reviewed

In an article that I wrote last week for CSOonline, I described the use of a red team framework from Mitre called ATT&CK. in my post this week, I compare four free open source tools that leverage this framework and how they can be deployed to help expose your network vulnerabilities. The four tools are:

  • Endgame’s Red Team Automation (RTA),
  • Mitre’s own Caldera,
  • Red Canary’s Atomic Red, and
  • Uber’s Metta

Each have their good and bad points. You can read my review here.

CSOonline: What is Mitre’s ATT&CK framework and what red teams need to know

The ATT&CK framework, developed by Mitre Corp., has been around for five years and is a living, growing document of threat tactics and techniques that have been observed from millions of attacks on enterprise networks. The funky acronym stands for Adversarial Tactics, Techniques, and Common Knowledge. It began as an internal project and morphed into this behemoth of a public knowledge base. In this post for CSOonline, I discuss what ATT&CK is, how it can be used, and how some of the numerous security vendors and consultants have picked up on using it.

Security Intelligence blog: Understanding the Relationship Between AI and Cybersecurity

The first thing many of us think about when it comes to the future relationship between artificial intelligence (AI) and cybersecurity is Skynet from the “Terminator” movie franchise. But I spoke with Dudu Mimram,  the CTO at Telekom Innovation Laboratories when I was in Israel earlier this month, and he has a somewhat rosier view. He suggested that AI must be understood across a broader landscape, regarding how it will influence cybersecurity and how IT can use AI to plan for future security technology purchases.You can read my blog post in IBM’s Security Intelligence here.